Identification of .net Malware with "unmanaged Imphash"

3. The system of claim 2, wherein the imported API function names are extracted from the parsed .NET header based at least in part on a MethodDef table.

4. The system of claim 2, wherein the imported API function names are extracted from the parsed .NET header based at least in part on an index table.

5. The system of claim 4, wherein the index table comprises an ImplMap table that indicates a set of unmanaged methods that are imported in connection with execution of the .NET file.

7. The system of claim 6, wherein the predetermined is hashing function comprises at least one of a SHA-256 hashing algorithm, an MD5 hashing algorithm, and a SHA-1 hashing algorithm.

10. The system of claim 1, wherein the security entity corresponds to a firewall.

11. The system of claim 1, wherein determining whether the sample is malware based at least in part on the hash of the list of unmanaged imported API function names is performed in a sandbox environment.

12. The system of claim 1, wherein the determining whether the sample is malware based at least in part on the hash of the list of unmanaged imported API function names is performed at a security entity.

13. The system of claim 1, wherein the imported API function names are obtained based at least in part on a value corresponding to an ImportName field.

14. The system of claim 13, wherein in response to a determination the value corresponding to the ImportName field is not equal to 0, obtaining the imported API function names comprises determining a set of one or more library names based at least in part on a #Strings stream of the .NET file.

16. The system of claim 15, wherein determining the library name corresponding to the function name based at least in part on the import table comprises parsing the import table to obtain the library name from the corresponding function name.

18. The system of claim 17, wherein the string is determined by ensuring that the library name and a name of the unmanaged function do not comprise capital letters and appending the name of the unmanaged function to the library name with a predefined separator comprised between the name of the unmanaged function and the library name.